Skip to content

feat(v2): operation audit log; deprecate the v1 bash tool (v2.1.0)#4

Merged
xxvcc merged 1 commit into
mainfrom
feat/audit-log-v1-deprecation
Jul 8, 2026
Merged

feat(v2): operation audit log; deprecate the v1 bash tool (v2.1.0)#4
xxvcc merged 1 commit into
mainfrom
feat/audit-log-v1-deprecation

Conversation

@xxvcc

@xxvcc xxvcc commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Two requested changes for v2.1.0.

1. Operation audit log (new internal/audit)

Every privileged mutating operation is appended as one JSON line to a root-owned, append-only /var/log/linux-temp-admin/audit.log (0600, opened O_NOFOLLOW in a root-safe dir):

  • account.create / account.delete / account.cleanup, and install / uninstall / upgrade
  • fields: time (RFC3339 UTC), pid, actor (the SUDO_USER behind the operation, else root), uid (effective), action, target, result, detail, and params (host/sudo/auto/registered/fingerprint, force, …)
  • best-effort: a write failure is warned but never blocks or fails the operation itself (you don't want a full disk to prevent revoking a compromised account)
  • wired via App.Audit (audit.Default()); a nil logger is a no-op, so existing tests are unaffected

Example:

{"time":"2026-07-08T09:35:18Z","pid":2079231,"actor":"alice","uid":0,"action":"install","result":"ok","detail":"/usr/local/sbin/linux-temp-admin"}

Limitation (documented): an on-host log is tamperable by root — forward to a remote collector for tamper-evidence.

2. Deprecate the v1 bash tool

temp-admin.sh is no longer maintained: it prints a bilingual deprecation notice at startup pointing to v2 (suppress with LTA_SUPPRESS_DEPRECATION=1, which tests/unit.sh sets so its assertions stay stable) and carries a DEPRECATED file header. It still runs; no further features/fixes. READMEs updated.

Verification

  • gofmt / go vet -printf.funcs=... clean; go build ./... OK.
  • Full suite green: unit + root/integration + -race (new audit tests + e2e asserting create/delete are logged).
  • v1: bash -n, shellcheck -S warning, and tests/unit.sh all pass; warning shows on stderr, stdout stays clean, suppressible.
  • Production audit path smoke-tested via a real install/uninstall: /var/log/linux-temp-admin/audit.log written root:root 0600 with the correct actor.

CHANGELOG: v2.1.0.

🤖 Generated with Claude Code

Audit log (new internal/audit package):
- Every privileged mutating operation — account create/delete, and
  install/uninstall/upgrade — is appended as one JSON line to a root-owned,
  append-only /var/log/linux-temp-admin/audit.log (0600, O_NOFOLLOW), recording
  time, actor (SUDO_USER when present, else root) + effective uid, pid, action,
  target, result, and key params (host/sudo/auto/registered/fingerprint).
- Best-effort: a write failure is warned but never blocks or fails the operation.
- Wired into the CLI via App.Audit (audit.Default()); disabled (no-op) when unset,
  so existing tests are unaffected. e2e test asserts create+delete are logged.

v1 (bash) deprecation:
- temp-admin.sh prints a bilingual deprecation notice at startup pointing to v2
  (suppress with LTA_SUPPRESS_DEPRECATION=1, which tests/unit.sh sets) and carries
  a DEPRECATED header. Still runs; no further features/fixes.

Docs: READMEs mark v1 deprecated and document the audit log; CHANGELOG v2.1.0.

Verified: gofmt/vet clean; full suite (unit + root/integration + -race) green;
production audit path smoke-tested via a real install/uninstall (root:root 0600
JSON lines with the correct actor).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@xxvcc xxvcc merged commit c2db5b2 into main Jul 8, 2026
10 checks passed
@xxvcc xxvcc deleted the feat/audit-log-v1-deprecation branch July 8, 2026 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant